Add CVE-2019-10842 - remote code execution in bootstrap-sass

[eoinkelly]

• Closes issue Add advisory for bootstrap-sass 3.2.0.3 (backdoor executed through a cookie) #385.
• CVE number taken from 3.2.0.3? twbs/bootstrap-sass#1195 (comment)
• More context on the issue: https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/

[emilebosch]

C'mon get this merged already!

[colby-swandale]

@emilebosch How about you back off and stop complaining about something you get for free.

[phillmv]

Hello,

Thanks for the submission @eoinkelly. I updated the text to match the cve.

@lirantal Hey! Great write up. We're pretty similar to the nodejs wg, so next time if you're feeling frisky drop us a line ;).

[emilebosch]

@emilebosch How about you back off and stop complaining about something you get for free.

@colby-swandale Woah, sir, thats harsh 😓 I don't really like it how you address me :( I'm assuming you had a bad day. I didn't do anything wrong and this is really one of the simplest remote executions to pull off in an insanely popular gem. If i had the rights to merge it I would have done it myself. Also the argument, its for free so you can't complain doesn't really hold ground We all try to make things better.

Per illustration its really just a matter of base64 encoding a single line of code to build a reverse shell and curl it to a top 1000 rails sites.

The first thing people do when hitting a rails vulnerability is running bundle audit update and bundle audit and when that turns red, we update, we love bundle audit it's one of the last things we have to keep security in check and preventing us from doing vulnerable deploys.

I would have loved an answer such as: "we're swamped, I can make you a member instead so you can merge it" and that would have both resulted into offloading this works and future work from your back and prevented this silly argument.

If you have any other suggestions, let me know!

Hope you have a nice day 😘

[PragTob]

@emilebosch while I agree that the text was a bit harsh, commenting "come on get this merged already" not even an hour after a PR was opened also doesn't help anyone. It doesn't help the maintainers to discover that PR (they get no more notifications as from the original PR) so all it does is exert pressure and conveys that the maintainers aren't doing a good job. They usually have jobs, breaks, sleep, family or what not - the expectation to always watch their notifications and merge within an hour isn't really humane. This leads to burnout among OSS maintainers.

So, I have the suggestion to empathetically think about what your comment will accomplish and what emotions it might cause.

[lirantal]

@lirantal Hey! Great write up. We're pretty similar to the nodejs wg, so next time if you're feeling frisky drop us a line ;).

@phillmv sounds exciting :-)
I was thinking we can do some interesting cross-community interactions as well in terms of inviting each other to both of our team's sessions and share some insights from each other, exchange challenges and ideas.

If that sounds interesting I'd be happy to make it work

[reedloden]

@lirantal I'm around here as well, so I am happy to assist in connecting the two groups. :-)